Securing Payment Gateways: a Collaborative Effort

New-age banking methods have led to a sustained push in the form of initiatives and reforms from the government as well as the Reserve Bank of India in terms of increasing the banking outreach. This movement has resulted in a transformation driven by changes in payments technology and its adoption.

The new payment systems and form factors enable businesses to use technology to become more efficient, cost-effective and grow, but at the same time they introduce huge security challenges for CISOs, who are required to stay ahead of the curve to secure against attacks and breaches.

This is the theme that emerged during the SISA Summit 2016, (held in Mumbai) as a panel of experts debated "Payments Security: Think Ahead of the Curve."

The panel argued that a collaborative effort is needed in securing payments, as all the stakeholders including the CISOs, business heads, operators and users take responsibility to adhere to security measures.

According to SISA's Bhatnagar, "Payment security is not one person's job. As new technologies in payment bring a multitude of risks drawn from varied sources and end points, every stakeholder plays a role in establishing certain basic security standards during the payment process."

Payment Challenges

The evolution of payment methods and technologies such as near field communication, m-payments, m-banking, mobile wallet, point of sale, immediate payment service, unified payment interface and payment gateways have not just given sleepless nights to CISOs, but also to business heads in order to live up to the trust bestowed on them by customers who expect secure transactions.

Security experts see a big surge in mobile wallets and mobile payments in the country; this is expected to grow by more than 50 percent in the next two years (despite being at an infancy stage now.)

"As the world moves into contact-less payment, the challenge for us as service providers is to ensure that every attack becomes an expensive and complicated proposition for the attacker, with stringent security controls and adapting every standard available," says Concentrix's Rajpal.

Sarvatra's Prabhu sees growing concerns among many of the co-operative and regional banks in terms of adapting new age payment systems, as their customers are not equally knowledgeable. "At this point of time, I do not share the enthusiasm of a cardless world, as the most banks are just taking to core-banking," he says.

Axis's Jain sees three distinct challenges that new technologies would bring in:

Client security brings in new forms of risks with new mobile form factors;

Customers using the applications (when most applications do not come with secure coding);

Digital India providing new digital identities to every individual transaction, which increases the potential for phishing attacks.

"The source of emanating risks due to new payment methods has increased alarmingly," says Jain.

Paynguin's Thimmana points out that as over 50 percent of citizens are still not comfortable with transacting online, and 45 percent of them do not have access to new forms of payment methods, they are bound to depend upon third parties. This lack of awareness to conduct a secure transaction is going to be a huge challenge.

Measures for a Secured Transaction

The big concern for security leaders today is how to keep new mobile-based banking transactions secure.

"What kind of new standards should we follow, how good do the old standards hold, and what more needs to be looked at?" are the questions posed by Bhatnagar.

Security leaders say that while having security controls and deploying standards are fine, a collaborative approach is required to address the new-age payment security challenge. They argue that a risk-based strategy is important in tackling the challenges in place of a compliance-based strategy.

According to Thimmana, "It is not the form factors we need to be concerned about, but the technology gaps existing between various teams, business groups and customers about understanding security where anyone can become the weakest link.

"A strong information-sharing and collaborative approach to make everyone cognizant of security is critical to respond to cyber threats which are inevitable," he says.

For Prabhu, the primary task is to build awareness and spot the loopholes in the transaction system at every level with a strong assumption that criminals are smarter than the users.

Rajpal suggests, "The key risk mitigation to address new age technology challenges would be to have strong security control measures and enforce shared responsibility of the mobile wallet (or any other operator) and end-users to ensure sufficient security is established.

"I would see mobile devices being shipped with the operators installing security frameworks and doing valid checks to ensure that customer data is protected in any transaction," he argues.

Jain sees the need for a mandatory disclosure norm, as we cannot avoid breaches and online fraud scenarios. "This will help every bank and financial institution take a serious note of risks and prevention mechanisms," he says. Every enterprise should have a designated CISO to help the organisation and its employees to securely leverage payment innovations," says Jain.

"While it is critical for every institution to adopt PCI DSS norms and RBI security guidelines, the person in charge should reinforce the concept of data privacy among employees and secure all end-points to tackle the risks that new payment methods usher in," says Bhatnagar.

About the Author

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;